Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
10
Helpful
2
Replies

IPS 4270 sensors on "Inline-On-A-Stick" Mode

antonyabraham
Level 1
Level 1

‎08-15-2008 06:52 AM - edited ‎03-10-2019 04:15 AM

Hello,

We are planning to user VLAN pair mode using Ether channel trunks (Inline-on-a-stick) mainly to over come the lack of 10 GigE interfaces which would prevent us from adopting traditional in-line architecture for firewalls with 10 GigE interfaces.

Do you or your customers have experience with Inline-on-a-stick? Could you please share your advices and any word of caution we need to keep in mind?

I do know the Bypass can't work in this mode, which we are planning to address by deploying multiple IPS 4270 appliances and Ether Channels.

Any suggestions are appreciated!

Thanks,

Antony

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎08-15-2008 10:21 AM

With VLAN pairs you need to be aware of the "sharing" going on between the two VLANS on the same GigE interface. Each VLAN should be loaded to no more than 50%.

I would reccomend an external VLAN bypass for when the sensor takes a nap, reloads or gets an OS update. I've done this with an alternate path between the two VLANS with a higher Spanning Tree cost. If you play with the SPT parmeters you can get the switchover down to under a second.

antonyabraham
Level 1
Level 1
In response to rhermes

‎08-18-2008 12:23 PM

Thanks for the reply Robert,

You raised very important points about the VLAN sharing and alternate path. Appreciate the help.

- Antony

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card